look(1) will access /usr/share/dict/words to look for the string we want, or it

may access another file instead if we mention it via argument. In order to know
which file to unveil(2) we need to push down pledge(2) a little bit after
getopt(3) and now that we know the name of the file we can unveil(2) it only
with read permissions.

OK deraadt@

diff --git a/usr.bin/look/look.c b/usr.bin/look/look.c
index a611263..baf3486 100644 (file)
--- a/usr.bin/look/look.c
+++ b/usr.bin/look/look.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: look.c,v 1.21 2017/01/21 10:03:27 krw Exp $   */
+/*     $OpenBSD: look.c,v 1.22 2018/08/11 11:00:34 mestre Exp $        */
 /*     $NetBSD: look.c,v 1.7 1995/08/31 22:41:02 jtc Exp $     */
 
 /*-
@@ -77,9 +77,6 @@ main(int argc, char *argv[])
        int ch, fd, termchar;
        char *back, *file, *front, *string, *p;
 
-       if (pledge("stdio rpath", NULL) == -1)
-               err(1, "pledge");
-
        file = _PATH_WORDS;
        termchar = '\0';
        while ((ch = getopt(argc, argv, "dft:")) != -1)
@@ -113,6 +110,11 @@ main(int argc, char *argv[])
                usage();
        }
 
+       if (unveil(file, "r") == -1)
+               err(2, "unveil");
+       if (pledge("stdio rpath", NULL) == -1)
+               err(2, "pledge");
+
        if (termchar != '\0' && (p = strchr(string, termchar)) != NULL)
                *++p = '\0';